CVE-2025-66629

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.10.4

Description HedgeDoc is a real-time, collaborative, markdown notes application. Certain OAuth2 endpoints used for social login providers—including Google, GitHub, GitLab, Facebook, and Dropbox—did not include CSRF protection. Specifically, these endpoints lacked a state parameter and verification of the response using this parameter. This could allow attackers to potentially hijack user authentication sessions.

Recommendations Update to version 1.10.4 or later.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2025-66629

GHSA-6WM6-3VPQ-6QVV

Affected Products

Dropbox

Facebook

Github

Gitlab

Google

Hedgedoc

CVE-2025-66629

Weakness Enumeration

Related Identifiers

Affected Products

References · 9